The European Banking Administration (EBA) dropped a time bomb on the networks June 21 when it issued the opinion that EMV 3D Secure did not meet the requirements of Strong Customer Authentication (SCA) as required under PSD2.
Now the U.K.’s Financial Conduct Authority has delivered an 18 month reprieve. In contrast, although the EBA has said more time is probably needed, it hasn’t yet offered a similarly broad reprieve, and the September 14 deadline is fast approaching:
“The UK’s financial regulator has agreed to give the country’s payments and e-commerce providers more time to comply with new user authentication rules mandated by PSD2.
The Financial Conduct Authority (FCA) said yesterday that it would provide card issuers, payments firm and online retailers with an 18-month timeline to implement the Strong Customer Authentication (SCA) checks.
This is in line with the opinion of the European Banking Authority (EBA), which recently admitted that more time was needed to implement SCA given its complexity and a lack of preparedness in the market.
Originally set for a September 14 deadline, SCA will force any firms accepting payments online to ensure they apply two-factor authentication checks on their customers. In many cases, this will come in the form of the popular 3-D Secure option.
However, exceptions are made for low value payments (under €30), recurring payments such as subscriptions, customers who have whitelisted merchants they trust, and low-risk transactions. The latter requires a real-time risk assessment on each payment, and therefore advanced fraud screening tools.
The FCA will now not take action if any firms don’t meet the September 2019 deadline, as long as they can demonstrate “there is evidence that they have taken the necessary steps to comply with the plan.”
The EBA has stated that behavioral biometrics meet the SCA requirements for “inherence,” a unique characteristic or attribute that identifies an individual. This suggests that EMV 3D Secure can add a behavioral biometric to the list of data that merchants are required to send to the issuing bank in order to deliver 2 Factor Authentication (2FA).
It remains to be seen if the networks can get a large percentage of transactions to fall under the existing exception criteria. It will be interesting to see if the networks can achieve a low-risk metric for the majority of transactions using the data they do collect under the existing EMV 3D Secure standard when that data is connected to more powerful AI-driven fraud detection methods. If they can, then the inability to enable 2FA becomes less problematic.
Quoted article by Infosecurity Magazine can be found here.
Overview by Tim Sloane, VP, Payments Innovation at Mercator Advisory Group